diff options
| author | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2017-11-14 10:47:01 -0500 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2017-11-14 10:47:01 -0500 |
| commit | f2ecc3d0787e05d9145722feed01d4a11ab6bec1 (patch) | |
| tree | 8b952af40dad67d728f1e421efc640907c523982 /kernel/bpf/sockmap.c | |
| parent | b1cb7372fa822af6c06c8045963571d13ad6348b (diff) | |
| parent | c14dd9d5f8beda9d8c621683b4e7d6cb5cd3cda7 (diff) | |
| download | linux-f2ecc3d0787e05d9145722feed01d4a11ab6bec1.tar.bz2 | |
Merge tag 'staging-4.15-rc1' into v4l_for_linus
There are some conflicts between staging and media trees,
as reported by Stephen Rothwell <sfr@canb.auug.org.au>.
So, merge from staging.
* tag 'staging-4.15-rc1': (775 commits)
staging: lustre: add SPDX identifiers to all lustre files
staging: greybus: Remove redundant license text
staging: greybus: add SPDX identifiers to all greybus driver files
staging: ccree: simplify ioread/iowrite
staging: ccree: simplify registers access
staging: ccree: simplify error handling logic
staging: ccree: remove dead code
staging: ccree: handle limiting of DMA masks
staging: ccree: copy IV to DMAable memory
staging: fbtft: remove redundant initialization of buf
staging: sm750fb: Fix parameter mistake in poke32
staging: wilc1000: Fix bssid buffer offset in Txq
staging: fbtft: fb_ssd1331: fix mirrored display
staging: android: Fix checkpatch.pl error
staging: greybus: loopback: convert loopback to use generic async operations
staging: greybus: operation: add private data with get/set accessors
staging: greybus: loopback: Fix iteration count on async path
staging: greybus: loopback: Hold per-connection mutex across operations
staging: greybus/loopback: use ktime_get() for time intervals
staging: fsl-dpaa2/eth: Extra headroom in RX buffers
...
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'kernel/bpf/sockmap.c')
| -rw-r--r-- | kernel/bpf/sockmap.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c index 6424ce0e4969..2b6eb35ae5d3 100644 --- a/kernel/bpf/sockmap.c +++ b/kernel/bpf/sockmap.c @@ -39,6 +39,7 @@ #include <linux/workqueue.h> #include <linux/list.h> #include <net/strparser.h> +#include <net/tcp.h> struct bpf_stab { struct bpf_map map; @@ -101,9 +102,16 @@ static int smap_verdict_func(struct smap_psock *psock, struct sk_buff *skb) return SK_DROP; skb_orphan(skb); + /* We need to ensure that BPF metadata for maps is also cleared + * when we orphan the skb so that we don't have the possibility + * to reference a stale map. + */ + TCP_SKB_CB(skb)->bpf.map = NULL; skb->sk = psock->sock; bpf_compute_data_end(skb); + preempt_disable(); rc = (*prog->bpf_func)(skb, prog->insnsi); + preempt_enable(); skb->sk = NULL; return rc; @@ -114,17 +122,10 @@ static void smap_do_verdict(struct smap_psock *psock, struct sk_buff *skb) struct sock *sk; int rc; - /* Because we use per cpu values to feed input from sock redirect - * in BPF program to do_sk_redirect_map() call we need to ensure we - * are not preempted. RCU read lock is not sufficient in this case - * with CONFIG_PREEMPT_RCU enabled so we must be explicit here. - */ - preempt_disable(); rc = smap_verdict_func(psock, skb); switch (rc) { case SK_REDIRECT: - sk = do_sk_redirect_map(); - preempt_enable(); + sk = do_sk_redirect_map(skb); if (likely(sk)) { struct smap_psock *peer = smap_psock_sk(sk); @@ -141,8 +142,6 @@ static void smap_do_verdict(struct smap_psock *psock, struct sk_buff *skb) /* Fall through and free skb otherwise */ case SK_DROP: default: - if (rc != SK_REDIRECT) - preempt_enable(); kfree_skb(skb); } } @@ -487,6 +486,9 @@ static struct bpf_map *sock_map_alloc(union bpf_attr *attr) int err = -EINVAL; u64 cost; + if (!capable(CAP_NET_ADMIN)) + return ERR_PTR(-EPERM); + /* check sanity of attributes */ if (attr->max_entries == 0 || attr->key_size != 4 || attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE) @@ -840,6 +842,12 @@ static int sock_map_update_elem(struct bpf_map *map, return -EINVAL; } + if (skops.sk->sk_type != SOCK_STREAM || + skops.sk->sk_protocol != IPPROTO_TCP) { + fput(socket->file); + return -EOPNOTSUPP; + } + err = sock_map_ctx_update_elem(&skops, map, key, flags); fput(socket->file); return err; |